Upload
richard-hicks
View
226
Download
4
Tags:
Embed Size (px)
Citation preview
AgendaAgenda
Agenda is based on main e-Agenda is based on main e-functionalities of the eID cardfunctionalities of the eID card
IntroductionIntroductionCertificates and SignaturesCertificates and SignaturesData captureData captureAuthentication and AuthorizationAuthentication and Authorization
IntroductionIntroductionCertificates and Certificates and SignaturesSignaturesWhat are certificates and signaturesWhat are certificates and signatures
Types of signaturesTypes of signaturesBinary blobs vs. XML basedBinary blobs vs. XML based.NET XAdES library.NET XAdES library
IntroductionIntroductionData captureData capture
Capture identity information from eID Capture identity information from eID cardcardInterface eID middleware is quite Interface eID middleware is quite technicaltechnical
Requires intensive studyRequires intensive studyC API with C structsC API with C structsReturn codesReturn codes
Requires deep technical profileRequires deep technical profileC/C++ knowledgeC/C++ knowledge
Interfacing with .NET not out-of-the-Interfacing with .NET not out-of-the-boxbox
IntroductionIntroductionData captureData capture
What have we done to assist?What have we done to assist?.NET wrapper around FedICT .NET wrapper around FedICT middlewaremiddleware
Easier to understand and useEasier to understand and useSimple OO interfaceSimple OO interfaceAdd reference to wrapper is enough to Add reference to wrapper is enough to startstart
Usable from any .NET language and Usable from any .NET language and VB6VB6
Can be exposed as COM componentCan be exposed as COM component
IntroductionIntroductionAuthentication & Authentication & AuthorizationAuthorizationWhat is Authentication and What is Authentication and
AuthorizationAuthorizationTypes of authenticationTypes of authentication
Windows logonWindows logonASP.NET siteASP.NET siteFederal PortalFederal Portal
Custom made vs. Partner SolutionCustom made vs. Partner Solution
AgendaAgenda
IntroductionIntroductionCertificates and SignaturesCertificates and SignaturesData captureData captureAuthentication and AuthorizationAuthentication and Authorization
CertificatesCertificates
What is a X509 v3 certificate?What is a X509 v3 certificate?Digitally signed statementDigitally signed statementContains a public key and information of the Contains a public key and information of the ownerownerIs linked to private keyIs linked to private key
Private key is only accessible and usable by ownerPrivate key is only accessible and usable by owner
Where do they come from?Where do they come from?Issued by Certification Authority (CA)Issued by Certification Authority (CA)CA has responsibility for validating the requestCA has responsibility for validating the requestCA provides private keyCA provides private keyCA’s can delegate certificate issuing to CA’s can delegate certificate issuing to intermediate CA’sintermediate CA’s
What can they be used for?What can they be used for?Possible uses of certificate is specified on Possible uses of certificate is specified on certificatecertificateWe’ll focus here on signing and authenticationWe’ll focus here on signing and authentication
CertificatesCertificates
eID card contains certificateseID card contains certificatesSigning and authenticationSigning and authenticationRoot and intermediary CA’sRoot and intermediary CA’s
Tool to view certificates: MMCTool to view certificates: MMCSnap-in for Current UserSnap-in for Current UserSnap-in for Local MachineSnap-in for Local MachineSnap-in for Service AccountsSnap-in for Service Accounts
Registration eID certificates in Registration eID certificates in Windows certificate storeWindows certificate store
Demo registration certificatesDemo registration certificates
SignaturesSignatures
What is a digital signature?What is a digital signature?Proof that owner of private key Proof that owner of private key signed docsigned docSignature can be verified by receiverSignature can be verified by receiver
Signature typesSignature typesBinary blobs vs. XMLBinary blobs vs. XML
XMLDSIG and XAdESXMLDSIG and XAdES
SignaturesSignatures
ScenarioScenarioAlice sends document to BobAlice sends document to BobAlice wants to assure Bob that the Alice wants to assure Bob that the document is hersdocument is hers
SignaturesSignatures
One-way calculation of ‘Message One-way calculation of ‘Message Digest’Digest’Hash algorithmHash algorithmHighly unlikely someone else can Highly unlikely someone else can generate same digest from other generate same digest from other documentdocumentDigest is smallDigest is smallDigest Digest algorithm algorithm SHA1SHA1: 20 bytes: 20 bytes
HasHashh
MessaMessage ge
DigestDigest
SignaturesSignatures
Message digest is encrypted with Message digest is encrypted with Alice’s private keyAlice’s private key
MessaMessage ge
DigestDigest EncryEncryptpt
SignatuSignature re
Alice sends document and signature to Alice sends document and signature to BobBob
SignatuSignature re
PrivatPrivate keye key
SignaturesSignaturesBob receives document with signatureBob receives document with signature
Calculates message digest on Calculates message digest on documentdocument
HasHashh
MessaMessage ge
DigestDigest
Bob decrypts signature with Alice’s Bob decrypts signature with Alice’s public keypublic keyVerify both message digests are Verify both message digests are identicalidentical MessaMessa
ge ge DigestDigest
DecryDecryptptSignatuSignatu
re re
Public Public keykey
Signatures on Windows Signatures on Windows platformplatform
Using MS office (XP & 2003)Using MS office (XP & 2003)Word, Excel, PowerPoint, InfoPath Word, Excel, PowerPoint, InfoPath (Office 2003)(Office 2003)OutlookOutlook
XMLDSIGXMLDSIGUsing .NET classUsing .NET class
XAdESXAdESUsing .NET XAdES libraryUsing .NET XAdES library
Signing MS Office Signing MS Office documentsdocuments
Signing documentsSigning documentsDemo signature in WordDemo signature in Word
Show tampering by MalloryShow tampering by Mallory
Demo signature in ExcelDemo signature in ExcelDemo signature in InfoPathDemo signature in InfoPath
Show XMLShow XML
Signing mailSigning mail
ProblemProblemeID card doesn’t contain email addresseID card doesn’t contain email addressPatch registry neededPatch registry needed
[HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Security][HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Security]"SupressNameChecks"=dword:00000001"SupressNameChecks"=dword:00000001
Demo OutlookDemo Outlook
XML Digital SignaturesXML Digital SignaturesW3C standard for signatures: XMLDSIGW3C standard for signatures: XMLDSIG
XML basedXML basedW3C recommendationW3C recommendationhttp://www.w3.org/TR/xmldsig-core/http://www.w3.org/TR/xmldsig-core/
‘‘Human readable’ formatHuman readable’ formatSignatures before this standard were Signatures before this standard were binary blobsbinary blobs
Example binary signatures: signatures in WordExample binary signatures: signatures in WordExample XMLDSIG signatures: signatures in Example XMLDSIG signatures: signatures in InfoPathInfoPath
Existing tools can be usedExisting tools can be usedNotepad vs. BerviewerNotepad vs. Berviewer
Easier to understandEasier to understand
XMLDSIGXMLDSIG
Core standard for new XML standardsCore standard for new XML standardsSecurity Assertion Markup Language Security Assertion Markup Language (SAML)(SAML)
OASISOASISXML framework for exchanging XML framework for exchanging authentication and authorization informationauthentication and authorization information
XML Advanced Electronic Signatures XML Advanced Electronic Signatures (XAdES)(XAdES)
ETSIETSIXML format for Electronic Signatures XML format for Electronic Signatures satisfying the requirements defined in the satisfying the requirements defined in the European Directive for Electronic Signatures, European Directive for Electronic Signatures, and with long term validity.and with long term validity.
XMLDSIGXMLDSIG
What does it look likeWhat does it look like
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"> <SignedInfo><SignedInfo> <CanonicalizationMethod Algorithm="..." /><CanonicalizationMethod Algorithm="..." /> <SignatureMethod Algorithm="..." /><SignatureMethod Algorithm="..." /> <Reference URI="#data" Id="enveloped"><Reference URI="#data" Id="enveloped"> <DigestMethod Algorithm="..." /><DigestMethod Algorithm="..." /> <DigestValue>SyNLjOrOTANUQX7K3504GPnrPss=</DigestValue><DigestValue>SyNLjOrOTANUQX7K3504GPnrPss=</DigestValue> </Reference></Reference> </SignedInfo></SignedInfo> <SignatureValue>...SignatureValue><SignatureValue>...SignatureValue> <KeyInfo><KeyInfo> <X509Data><X509Data> <X509Certificate>...</X509Certificate><X509Certificate>...</X509Certificate> </X509Data></X509Data> </KeyInfo></KeyInfo> <Object Id="data">...</Object><Object Id="data">...</Object></Signature></Signature>
XMLDSIGXMLDSIG
Creating XMLDSIG signature Creating XMLDSIG signature with .NETwith .NET
Demo code sampleDemo code sample
XML Advanced Electronic XML Advanced Electronic SignaturesSignatures
Aka XAdESAka XAdESEuropean Telecommunication European Telecommunication Standards Institute (ETSI)Standards Institute (ETSI)Compliant with European Directive Compliant with European Directive 1999/93/EC on Electronic Signatures1999/93/EC on Electronic Signatureshttp://uri.etsi.org/01903/v1.1.1/http://uri.etsi.org/01903/v1.1.1/
Why XAdES ?Why XAdES ?
XAdES opens up compelling XAdES opens up compelling possibilitiespossibilities
New use cases beyond XMLDSIGNew use cases beyond XMLDSIGXAdES specification is compliant with XAdES specification is compliant with the European Directivethe European Directive
Why XAdES ?Why XAdES ?
Main XMLDSIG use caseMain XMLDSIG use caseShort lived e-commerce style sales Short lived e-commerce style sales transactionstransactions
Some common use cases for XAdESSome common use cases for XAdESCounter signaturesCounter signaturesNon-repudiationNon-repudiationLong-lived contractsLong-lived contracts
Why XAdES ?Why XAdES ?
Counter signaturesCounter signaturesSignature added to a document that has Signature added to a document that has already been signedalready been signed
To witness the first signatureTo witness the first signatureTo confirm an authorizationTo confirm an authorizationIn case of multiple stakeholdersIn case of multiple stakeholders
XMLDSIG doesn’t provide for counter XMLDSIG doesn’t provide for counter signing out of the boxsigning out of the box
Why XAdES ?Why XAdES ?
Non-repudiationNon-repudiation
A signs contract “I owe B 1000€, to be paid on 31/12/2004”
B receives and timestamps contract
A revokes certificate
B asks for the 1000€
A refuses to pay claiming that signature was forged
A & B meet in court: B can prove that signature was made at a time when A’s certificate wasn’t revoked
31/12/2004
timeline
Why XAdES ?Why XAdES ?
Signing contracts that have a ‘shelf-live’ of Signing contracts that have a ‘shelf-live’ of multiple yearsmultiple years
IssueIssueOver time weaknesses may occur in cryptographic Over time weaknesses may occur in cryptographic algorithms used to create ESalgorithms used to create ES
XAdES solutionXAdES solutionXAdES-A form: ArchiveTimeStamp elementXAdES-A form: ArchiveTimeStamp element
Can be nestedCan be nested
Verifier has task to add ArchiveTimeStame Verifier has task to add ArchiveTimeStame well before algorithm becomes well before algorithm becomes compromisedcompromised
Why a XAdES library for .NET Why a XAdES library for .NET ??
Creating applications that use XAdES Creating applications that use XAdES is a challengeis a challenge
XAdES technical specification is quite XAdES technical specification is quite detaileddetailed
70 printed pages70 printed pages
XAdES schema file (XAdES.XSD) is 19KBXAdES schema file (XAdES.XSD) is 19KBOver 120 different elementsOver 120 different elements
Why a XAdES library for .NET Why a XAdES library for .NET ??
Get a head start in XAdES Get a head start in XAdES developmentdevelopment
XAdES library eases developmentXAdES library eases developmentDevelopment from technical RFC style Development from technical RFC style documentation is not an every day job for documentation is not an every day job for most business solution developersmost business solution developers
Let you get results fasterLet you get results fasterBuilt-in checks can help you detect mistakes Built-in checks can help you detect mistakes earlierearlier
About XAdESAbout XAdES
XAdES extends XMLDSIGXAdES extends XMLDSIGXAdES uses extension mechanism of XAdES uses extension mechanism of XMLDSIGXMLDSIGA XAdES signature is a XMLDSIG A XAdES signature is a XMLDSIG signaturesignature
Signature (XMLDSIG)
SignedInfo(XMLDSIG)
SignatureValue
(XMLDSIG)
KeyInfo(XMLDSIG)
Object (XMLDSIG)
SignedProperties
UnsignedProperties
About XAdESAbout XAdES
XML structureXML structure<Signature xmlns="http://www.w3.org/2000/09/xmldsig#"> <SignedInfo> <CanonicalizationMethod /> <SignatureMethod /> <Reference URI="#SignedPropertiesId“ /> </SignedInfo> <SignatureValue /> <KeyInfo /> <Object Id="XadesObjectId">
</Object></Signature>
<QualifyingProperties xmlns="http://uri.etsi.org/01903/v1.1.1#"> <SignedProperties Id="SignedPropertiesId“ /> <UnsignedProperties /></QualifyingProperties>
XAdES .NET library XAdES .NET library architecturearchitecture
XAdES extends XMLDSIGXAdES extends XMLDSIG
XAdES library extends .NET XMLDSIG XAdES library extends .NET XMLDSIG implementationimplementationXadesSignedXml derives from XadesSignedXml derives from SignedXmlSignedXml
Backwards compatible with XMLDSIG Backwards compatible with XMLDSIG signaturessignaturesProperty SignatureStandardProperty SignatureStandard
XAdES .NET library XAdES .NET library architecturearchitecture
Serialization model same as in Serialization model same as in SignedXml classSignedXml class
GetXmlGetXmlFlatten the object model into XMLFlatten the object model into XML
LoadXmlLoadXmlHydrate object model from XMLHydrate object model from XML
XAdES schema validationXAdES schema validation
XAdES .NET library XAdES .NET library architecturearchitectureDotted notationDotted notation
XAdES XML elements are nested quite deepXAdES XML elements are nested quite deep<Object><Object>
<QualifyingProperties><QualifyingProperties>
<SignedProperties><SignedProperties>
<SignedSignatureProperties><SignedSignatureProperties>
<SignatureProductionPlace><SignatureProductionPlace>
<City>Brussels</City> <City>Brussels</City>
</SignatureProductionPlace></SignatureProductionPlace>
</SignedSignatureProperties></SignedSignatureProperties>
</SignedProperties></SignedProperties>
</QualifyingProperties></QualifyingProperties>
</Object></Object>
Automatic instantiation of nested object graphAutomatic instantiation of nested object graphEasy dotted notation with Intellisense assistanceEasy dotted notation with Intellisense assistance
xadesObject.QualifyingProperties.SignedSignatureProperties.SignaxadesObject.QualifyingProperties.SignedSignatureProperties.SignatureProductionPlace.City = “Brussels”;tureProductionPlace.City = “Brussels”;
Only “dirty” objects get serializedOnly “dirty” objects get serialized
Use cases revisitedUse cases revisited
Counter Signature sample codeCounter Signature sample code
XadesSignedXml newXadesSignedXml = new XadesSignedXml();XadesSignedXml newXadesSignedXml = new XadesSignedXml();XmlDocument signatureXmlDocument = new XmlDocument();XmlDocument signatureXmlDocument = new XmlDocument();signatureXmlDocument.PreserveWhitespace = true;signatureXmlDocument.PreserveWhitespace = true;
signatureXmlDocument.Load(this.counterSignatureFileTextBox.Text);signatureXmlDocument.Load(this.counterSignatureFileTextBox.Text);
newXadesSignedXml.LoadXml(signatureXmlDocument.DocumentElement);newXadesSignedXml.LoadXml(signatureXmlDocument.DocumentElement);unsignedSignatureProperties.CounterSignatureCollection.Add(unsignedSignatureProperties.CounterSignatureCollection.Add(
newXadesSignedXml);newXadesSignedXml);
Deliverables .NET XAdES Deliverables .NET XAdES librarylibrary
Windows installer fileWindows installer fileMicrosoft.Xades.dllMicrosoft.Xades.dll
The xcopy-deployable libraryThe xcopy-deployable library
XAdESLibraryDocumentation.chmXAdESLibraryDocumentation.chmHelp fileHelp file
XadesTestClient.exeXadesTestClient.exeTest client showing most use casesTest client showing most use cases
Source code of library and test clientSource code of library and test client
AgendaAgenda
IntroductionIntroductionCertificates and SignaturesCertificates and SignaturesData captureData captureAuthentication and AuthorizationAuthentication and Authorization
Data captureData capture
Architecture of .NET wrapperArchitecture of .NET wrapper
Managed C++ classManaged C++ class
.NET .NET class class AddreAddre
ssss
.NET .NET class class IdentiIdenti
tyty
.NET class .NET class CardCard
Your clientYour client
FedICT eidlibFedICT eidlib
FedICT CSPFedICT CSP
Role of wrapperRole of wrapper
Managed C++ class hides complexityManaged C++ class hides complexityTurn C API and C structs into .NET OO Turn C API and C structs into .NET OO classclassTurn error codes and status information Turn error codes and status information into .NET exceptionsinto .NET exceptionsConversionsConversions
UTF8 into string UTF8 into string Byte array to picture Byte array to picture Byte array to .NET certificate classes Byte array to .NET certificate classes
Init and Exit functions into Init and Exit functions into constructor/destructorconstructor/destructor
Façade class Card makes use easyFaçade class Card makes use easy
AgendaAgenda
IntroductionIntroductionCertificates and SignaturesCertificates and SignaturesData captureData captureAuthentication and AuthorizationAuthentication and Authorization
Authentication & Authentication & AuthorizationAuthorization
Custom written web authenticationCustom written web authenticationUsing eID certificateUsing eID certificate
End-to-end solutions from partners End-to-end solutions from partners existexist
Upcoming presentationsUpcoming presentations
Custom AuthenticationCustom AuthenticationCapture certificate information on serverCapture certificate information on server
Public Class LogonPagePublic Class LogonPage Inherits System.Web.UI.PageInherits System.Web.UI.Page Protected Overrides Sub Render(ByVal writer As Protected Overrides Sub Render(ByVal writer As
System.Web.UI.HtmlTextWriter)System.Web.UI.HtmlTextWriter) Dim clientCert As HttpClientCertificateDim clientCert As HttpClientCertificate Dim keys(), key As StringDim keys(), key As String clientCert = Request.ClientCertificateclientCert = Request.ClientCertificate
Response.Write(" IsPresent:" & clientCert.IsPresent)Response.Write(" IsPresent:" & clientCert.IsPresent) Response.Write(" Issuer:" & clientCert.Issuer & "<br>")Response.Write(" Issuer:" & clientCert.Issuer & "<br>") Response.Write(" IsValid:" & clientCert.IsValid & "<br>")Response.Write(" IsValid:" & clientCert.IsValid & "<br>") Dim x509Cert = New X509Certificate(clientCert.Certificate)Dim x509Cert = New X509Certificate(clientCert.Certificate) Response.Write("Hash:" & x509Cert.GetCertHashString())Response.Write("Hash:" & x509Cert.GetCertHashString()) MyBase.Render(writer)MyBase.Render(writer) End SubEnd SubEnd ClassEnd Class
Authentication using Authentication using FedICT Federal PortalFedICT Federal Portal
Authorization solution until eID is rolled Authorization solution until eID is rolled outoutTargeted at government clientsTargeted at government clients.NET solution.NET solution
Developed in collaboration with Cipal and Developed in collaboration with Cipal and FedICTFedICTUsable from ASP.NET and ASPUsable from ASP.NET and ASPDeliverablesDeliverables
Cookbook with source code available for Cookbook with source code available for downloaddownload
Solution architectureSolution architectureDefault.asp
Logonredirect.asp
Logon.asp
OK
iLoket pagina’s Error message
FEDICT
DOMAIN, TARGET, LANGUAGE
Cipal.Authentication.dll
SAML
Christophe Pagone
Windows logon using eIDWindows logon using eID
Requires Graphical Identification and Requires Graphical Identification and Authentication dll (GINA)Authentication dll (GINA)Sample GINA code in the Platform Sample GINA code in the Platform SDK security samples SDK security samples http://msdn.microsoft.com/library/defhttp://msdn.microsoft.com/library/default.asp?url=/library/en-us/security/sault.asp?url=/library/en-us/security/security/winlogon_and_gina.aspecurity/winlogon_and_gina.aspMore information: More information: [email protected] [email protected]
Summary of deliverablesSummary of deliverables
.NET wrapper and samples for eID API.NET wrapper and samples for eID APIXAdES .NET library and XAdES .NET library and documentationdocumentation.NET cookbook with code for .NET cookbook with code for authentication service of Federal authentication service of Federal PortalPortal